Design of a Process for Software Security

Byers, David; Shahmehri, Nahid

doi:10.1109/ares.2007.67

Cited by 24 publications

(17 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Some of the techniques are reviewed and presented in Table- [16] presented a process consisting vulnerability modeling together with vulnerability cause mitigation and process component definition. These are based on vulnerability cause graphs.…”

Section: Techniquesmentioning

confidence: 99%

A Categorized Review on Software Security Testing

Mahendra¹,

Khan²

2016

IJCA

View full text Add to dashboard Cite

The main objective of security testing is to check the weaknesses of the implemented security mechanism. It is done for finding the vulnerabilities of a system and to determine whether the system is protected from intruders or not. Security testing can be done prior to production or after the production of the system. But, if the security testing is done after the production, then cost will be more and the huge amount of rework will be required to remove the problems. Also the time between the vulnerability is get known and the malicious attack against it, is becoming less. Therefore it is required to include the security testing in the early phases of software development life cycle. The present paper deals with the review of software security testing approaches and techniques proposed so far. The review is presented in a categorized way and tabulated for the last one and half decade (2000)(2001)(2002)(2003)(2004)(2005)(2006)(2007)(2008)(2009)(2010)(2011)(2012)(2013)(2014)(2015).

show abstract

Section: Techniquesmentioning

confidence: 99%

A Categorized Review on Software Security Testing

Mahendra¹,

Khan²

2016

IJCA

View full text Add to dashboard Cite

show abstract

“…In addition to reporting the problems discovered during development, the security reports should be created when [8]:…”

Section: Report New Risk New Mitigation Techniquementioning

confidence: 99%

“…structured way [3,6,8]. S 3 P is designed to be process agnostic and is a software development improvement process that runs in parallel to the software life cycle and interacts with it to enhance security.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Integrating a Security Plug-in with the OpenUP/Basic Development Process

Ardi

Shahmehri

2008

2008 Third International Conference on Availability, Reliability and Security

Self Cite

View full text Add to dashboard Cite

In this paper we present a security plug-in for the OpenUP/Basic development process. Our security plug-in is based on a structured unified process for secure software development, named S 3 P (Sustainable Software Security Process). This process provides the formalism required to identify the causes of vulnerabilities and the mitigation techniques that prevent these vulnerabilities. We also present the results of an expert evaluation of the security plug-in. The lessons learned from development of the plug-in and the results of the evaluation will be used when adapting S 3 P to other software development processes.

show abstract

“…The language was developed as a more expressive replacement for vulnerability cause graphs [12] (used to model the causes of vulnerabilities), security activity graphs [13] (used to model the alternatives for performing security-related activities), security goal indicator trees [14] (used to model the process of goal-driven inspection) and attack trees [15] (used to model how to perform attacks). SGMs provide richer relationships between model elements, a key property when being used for automated applications such as passive testing.…”

Section: Security Goal Modelsmentioning

confidence: 99%

An advanced approach for modeling and detecting software vulnerabilities

Shahmehri

Mammar

et al. 2012

Information and Software Technology

Self Cite

View full text Add to dashboard Cite

Context. Passive testing is a technique in which traces collected from the execution of a system under test are examined for evidence of flaws in the system.Objective. In this paper we present a method for detecting the presence of security vulnerabilities by detecting evidence of their causes in execution traces. This is a new approach to security vulnerability detection.Method. Our method uses formal models of vulnerability causes, known as security goal models and vulnerability detection conditions (VDCs). The former are used to identify the causes of vulnerabilities and model their dependencies, and the latter to give a formal interpretation that is suitable for vulnerability detection using passive testing techniques. We have implemented modeling tools for security goal models and vulnerability detection conditions, as well as TestInv-Code, a tool that checks execution traces of compiled programs for evidence of VDCs.Results. We present the full definitions of security goal models and vulnerability detection conditions, as well as structured methods for creating both. We describe the design and implementation of TestInv-Code. Finally we show results obtained from running TestInv-Code to detect typical vulnerabilities in several open source projects. By testing versions with known vulnerabilities, we can quantify the effectiveness of the approach.Conclusion. Although the current implementation has some limitations, passive testing for vulnerability detection works well, and using models as the basis for testing ensures that users of the testing tool can easily extend it to handle new vulnerabilities.

show abstract

Design of a Process for Software Security

Cited by 24 publications

References 12 publications

A Categorized Review on Software Security Testing

A Categorized Review on Software Security Testing

Integrating a Security Plug-in with the OpenUP/Basic Development Process

An advanced approach for modeling and detecting software vulnerabilities

Contact Info

Product

Resources

About